In this regard, the judgment notably acknowledges the finding of vicarious liability could lead to the paradoxical result of furthering the intention of the rogue employee – which was to cause financial harm to his employer.
It remains to be seen whether the findings of the judgment will survive the appeal process. In addition, the judgment does not deal with the important issue of quantum, so it is not clear what level of damages award might be made against a company (and perhaps ultimately passed on to insurers) in these circumstances.
In 2014, a rogue employee of Morrisons supermarkets leaked the payroll data of almost 100,000 Morrisons employees – including their names, addresses, National Insurance Numbers, bank accounts and salaries. The employee, Andrew Skelton, was ultimately given an eight-year prison sentence for various criminal offences as a result of his actions.
A group of 5,518 former and current employees of Morrisons subsequently brought a claim against Morrisons in the English courts, alleging breaches by Morrisons of the Data Protection Act 1998 (DPA), as well as an equitable claim for breach of confidence and a tort claim for misuse of private information. The claimants argued Morrisons should be held directly liable for the losses arising out of the breach or vicariously liable for the acts of Skelton.
Morrisons defended the claims on the basis it could not be held liable, either directly or vicariously, for Skelton’s unauthorised criminal misuse of data to which he had access. The court held primary liability could not be imposed on Morrisons under the DPA for breach of confidence or for misuse of private information. This finding was made on the basis it was not Morrisons itself which caused the data breach – rather, the breach was caused by Skelton, acting without authority and criminally.
However, vicarious liability could be imposed on Morrisons in relation to the actions of Skelton. In this regard, the court referred to the existing body of case law in finding that: an employer such as Morrisons can be held liable for the acts of their employees “in the conduct of the employees’ employment” and Skelton’s actions in leaking the data were committed in the conduct of his employment.